Data breaches have affected 63 Australian organisations since 22 February, with 24 per cent of them in healthcare, according to the Office of the Information Commissioner’s first report since the mandatory data breach reporting legislation came into effect.
Of the total breaches, health information was involved in 33 per cent of cases, the report released today said.
The Notifiable Data Breaches scheme, which came into force on 22 February, requires entities with obligations to secure personal information under the Privacy Act 1988 to notify individuals when their personal information is involved in a data breach that is likely to result in serious harm and notify the OAIC.
In the six weeks since its introduction, the scheme has unearthed breaches that may otherwise have remained secreted away within organisations, with the total 63 breaches more than half of the 114 data breach notifications disclosed voluntarily in the 2016–17 financial year.
The OAIC’s acting Australian Information Commissioner and acting Privacy Commissioner, Angelene Falk, said a data breach notification gives people the chance to take steps that can reduce their risk of experiencing harm, such as changing passwords for online accounts. It also encourages a higher standard of security from government agencies and eligible businesses.
“Over time, the quarterly reports of the eligible data breach notifications received by the OAIC will support improved understanding of the trends in eligible data breaches and promote a proactive approach to addressing security risks,” Falk said.
Human error was responsible for 51 per cent of the breaches, which indicates the need for organisations to prioritise cybersecurity processes such as staff training.
“This highlights the importance of implementing robust privacy governance alongside a high-standard of security. The risk of a data breach can be greatly reduced by implementing practices such as Privacy Impact Assessments, information security risk assessments, and training for any staff responsible for handling personal information.”
Of the eligible data breaches notifications made to the OAIC:
Top five sectors were healthcare providers (24 per cent), legal, accounting and management services (16 per cent), finance (13 per cent), private education (10 per cent), and charities (6 per cent)
78 per cent involved people’s contact information, 33 per cent health information and 30 per cent financial details
51 per cent indicated the cause to be human error, 44 per cent were the result of malicious or criminal attack, and 3 per cent occurred through system faults.
90 per cent related to breaches involving the personal information of less than 1000 individuals.
The OAIC’s 2017 Australian Community Attitudes to Privacy Survey found that Australians have an expectation of transparency when serious data breaches occur, with 94 per cent claiming they should be told when personal information is lost by an organisation.